Posted
by
Soulskillon Friday August 05, 2011 @11:37AM
from the panic-versus-sanity dept.

Several readers have sent in news of a presentation at the Black Hat security conference from a diabetic security researcher, Jerome Radcliffe, who is looking into the security of automated insulin pumps. While most of the headlines are sensationalist, referencing "lethal attacks from a half-mile away," Scott Hanselman breaks down the media reports and weeds out the inaccuracies, explaining that while this is a valid area of concern, diabetics don't need to cover themselves in tinfoil just yet.
"Just to be clear, Jerome has not yet successfully wirelessly hacked an insulin pump. He's made initial steps to sniff wireless traffic from the pump. I realize, as I hope you do, that his abstract isn't complete. Hopefully a more complete presentation is forthcoming. I suspect he's exploiting the remote control feature of a pump. ... What Jerome has done, however, is posed a valid question and opened a door that all techie diabetics knew was open. It is however, an obvious question for any connected device. Anyone who has ever seen OnStar start a car remotely knows that there's a possibility that a bad guy could do the same thing."

Various pumps record RF transmission of blood glucose readings from glucometers, or from continuous glucose sensors that connect to a pump. This includes the Medtronic Paradigm I'm wearing right now. But this number is visibly displayed as part of the setting to request a "bolus" of insulin, and no current pump that I can find closes the feedback loop and allows the glucose sensor to directly control the pump: this is because the continuous sensors are, basically, very expensive ouija boards that require

Omnipod and OneTouch Ping both use the same type of wireless control unit, though not directly inline with a CGM. The system he tested (Paradigm Reveal) is a 2 part loop that requires human interaction. (ie CGM tells you a glucose reading, then you use the pump to decide how much insulin to deliver.) All he was able to do was jam the data from the real CGM sensor and spoof it with false data. That's not exactly "hacked" but is a threat. The pumps with wireless control units are where I'd expect to see the primary fault and possible loss of control. (FYI, I'm a diabetic with a deep knowledge of both these systems from a user's perspective, as well as an IT worker in a medical field. These may not be perfect credentials, but I figure it might be relevant.)

biological neuro nets are inherently bad at making exact estimates, but they make up for it by being able to be sensitive to extremely small variations. compare perceived light levels indoors under lamps vs outdoors in sun, or perceived smell when a stench is first introduced to 6 hours later. look at the blue/yellow optical illusions, http://www.lottolab.org/illusiondemos/Demo%2012.html# [lottolab.org] when you activate the mask it will look like it is cheating and the squares are changing colors, confirm the honesty

There's an optional remote control [minimed.com] for the Paradigm that can be used to deliver insulin. It's a $150 accessory, and of the several pumpers I know (including myself), I don't know anyone who has one, but it does exist. Since you have to turn on the option from the pump (Utilities -> Connect Devices -> Remotes, on the 723), it's probably impossible to exploit on someone who doesn't already have a remote, but it seems entirely plausible to do so if they do.

Or further away with a more powerful transmitter and a directional antenna. Of course at the limit the attacker does away with the subtle apporach and just blasts the device with an EMP (or you with a shotgun). Depends on how "accidental" he wants it to look.

Yeah, but in this case medical device #1 costs $5k - insulin pumps may be simple, but they are NOT cheap.

In theory the whole reason medical devices are so expensive is precisely because the vendor has to ensure that stuff like remote wireless hacks can't happen.

I've thought about what it would take to build an insulin pump. To do a cheap job probably wouldn't be very hard - a simple pump just needs a syringe with a plunger and a motor that runs at constant speed.

I imagine liability also plays largely into it. They have to be covered when one of these things kills someone and the family sues them for 3 billion dollars.

I've thought about what it would take to build an insulin pump.

When I first read this, I thought you were planning to do so! After reading the whole post I realized that wasn't your point, but at first I was envisioning some arduino controlled contraption. I can't wait till this actually starts happening.. OSS/DIY medical gear!

- "Windows CE" Any device must be proven by the manufacturer to not cause patient harm if an component within it fails. This includes software, and when calculating probability of failure, software is assumed to fail 100% of the time.

- "cheap TTL monitor" Any hardware must conform to stringent medical standards and if fails be proven not to cause patient harm

-Since all software is assumed to fail 100% of the time, and by implication all software failures will cause harm, then no medical devices can include software of any sort? Is that what you're saying?

What about a "cheap TTL monitor" would fail which medical standards and necessarily cause patient harm on failure. TTL (transistor-transistor logic, unless it means something else in this field) can include fairly substantial voltages, but proper (not necessarily expensive, just proper consumer-grade design)

Since all software is assumed to fail 100% of the time, and by implication all software failures will cause harm, then no medical devices can include software of any sort? Is that what you're saying?

No. Software can fail and not cause harm. That's the art to system design - no matter what single failure happens to software on my systems, absolutely nothing hazardous can happen to the patient.

cheap TTL monitor

What you say is perfectly correct. It comes down to patient safety and whether all electrical design and safety have been taken into account. The medical device manufacturer would have to certify any monitor (or any other commercial device) for compliance, cheap or not.

Poor documentation is more strongly associated with "developed cheaply" than "developed fast". IMHO.

Oh, sorry, by the criteria you've stated, you can't have any sort of software in the device

I never said nor implied that

That was certainly the implication that I picked up ; hence the RAA (definition [wikipedia.org]).

It comes down to patient safety and whether all electrical design and safety have been taken into account. The medical device manufacturer would have to certify any monitor (or any other commercial device) for compliance, cheap or not.

I'm amazed that the simple system using Windows even passed the FDA validation tests. It would not have passed a simple FDA network validation if there is any chance that a signal could interfere with the operation. I was a project manager for implementing Laboratory Information Management Systems, better known as LIMS and we would have had a problem using wireless devices just to pass data from testing. If another wireless device on the same frequency or close to it could block or interfere is would have

My wife uses the OmniPod disposable pumps. They are controlled by a wireless PDA-like device. When she was switching from a conventional pump to the Omnis, I wrote to the company and asked them to explain to me how their wireless technology works, what protocols are they using, what security measures they have taken to protect the pods from malicious activity. My concern was the possibility of an outside party either deliberately or accidentally messing with the pod settings, and minimizing insulin delivery or pushing a huge bolus.

I even offered to sign an NDA. Obviously, the company was less than willing to divulge their proprietary secrets, and I was shuffled off to a PR flack, who just reiterated the same marketing material over and over.

Just a followup to this, I posted a summary of the article on Facebook, and my wife predictably reacted the same way the press did.

Me: "Guy gives a talk about the *possibility* of hacking a wireless insulin pump"Wife filter: ZOMG HACKERS ARE GOING TO KILL US!

After answering questions of responsible disclosure and security through obfuscation, she asked why someone would want to do such a thing as try to kill a diabetic. She was unfamiliar with the term "for teh lulz"

Certainly if you are going to build a medical device that uses wireless technology you need VERY strong security controls around authentication/etc. If somebody steals your handheld controller and does a mission impossible on it I could understand that no security is perfect. On the other hand, I shouldn't be able to take apart my insulin pump and then use what I learn to remote control your insulin pump.

I think both you and your wife are missing the most likely threat vector here. Black Hat hackers may not be, in general, the most empathic of people; but I doubt there are many that would simply kill a random diabetic for the Hell of trying a new hack. A much more plausible situation is someone using a mature form of this to kill a specific person that they hate or who has something they want, who also happens to be a diabetic, in a nearly untraceable way.

Note that I also said I was concerned that an outside party accidentally changes the settings on the pods. I think that is far more likely, but people aren't really going think that walking past the microwave or the 802.11 router is really a threat.

I wouldn't worry about people trying to kill random people how ever I do think that there are way too many people that would think it was "funny" to really mess with people. "Dude, did you see those four just drop like a rock! That was so cool!"For example http://en.wikipedia.org/wiki/Anonymous_(group)#Epilepsy_Foundation_forum_invasion [wikipedia.org] I just hope that they hackers are being as responsible as possible and are not going to publish this until any vulnerabilities are fixed. I would suggest publishing the resul

I've had a minimed paradigm for about 8 years now, and all of what Scott said makes sense. In addition, there are a few more things which make this impractical.
I assume the researcher is trying to hack the "Remote" option. Not only do you need to turn the remote option on, you need to add IDs of the remotes to the pump itself. So unless you can figure out how to add IDs remotely, you have to find someone with a remote, and get the ID from the remote.

Second, there's a limit (at least on my Paradigm version) of 20 units of insulin at a time. I haven't tried this, but I think there's a system to prevent you from giving multiple 20 unit boluses at a time. Since I take around 14 units for some meals, 20 units of insulin is conceivable to overcome just by eating sweets, and there's always glucagon injections in a pinch. My pump makes a sound when it is done giving a bolus, meaning the diabetic could notice that a bolus was given (perhaps the beep is turned off for continuous glucose monitoring systems though).

Finally, hypoglycemia is rarely fatal. From wikipedia [wikipedia.org]: "In nearly all cases, hypoglycemia that is severe enough to cause seizures or unconsciousness can be reversed without obvious harm to the brain." So even if you figure out how to give a remote bolus and succeed, it isn't likely to kill the diabetic.

I disagree. My wife is a brittle diabetic, and she's spent so much time in her childhood years at extreme highs and lows, she's become somewhat desensitized to low blood sugar until she's in the 50 range. There have been a few cases where she has felt a low coming on and collapsed before she could get to something to eat. Other times, she's acted drunk while hypoglycemic and refused to eat anything.

Of course, she's probably one of the exceptions for the "most diabetics" case, but it matters to me.

As a rule, the symptoms don't just come out of nowhere—if you're driving, and start to go hypoglycemic, you just pull over, treat it, wait 15 minutes, and start up again. (There is a such a thing as hypoglycemia unawareness, in which the symptoms do come on much faster and at a lower level of blood glucose, but that's an individual-specific thing that results from having too many lows to begin with, so it doesn't affect the general population of diabetics.) The bigger danger, as I said in my reply t

Sorry, but my mother is type 1 as well and Hypoglycemia is the biggest danger she faces on a daily basis. Why? Because it can occur without her recognizing it. Sure we all know the symptoms, she certainly does, but one problem with low blood sugar is that your not always thinking clearly and you don't always arrive at low blood sugar at the same rate. Worse, depending on many other issues one day's low blood sugar can have different results than another.

Yup, hypoglycemia is no joke - I help take care of somebody who is diabetic. Hospitals always error on the side of hyperglycemia as a result - it is harder for them to control sugar with everything going on so they'd rather go too high than too low.

That said, I've heard that studies have shown that tight sugar control improves hospital outcomes. That being the case I don't know why hospitals don't just put all their diabetics on insulin IV pumps. Check their sugar hourly until you get a baseline and then

What I was getting at is that more type 2 diabetics should be treated with pumps. I think that too many doctors settle for "the best that can be done with oral meds."

If that is good glucose control, then fine. However, often it isn't. From what I've both read and seen firsthand unless you're talking about an 85-year-old who you're consigned to putting in "hospice," you're much better off being more aggressive. While shots or a pump are inco

You are assuming there are no holes in the protocol. How is the ID pairing truly done? Is it possible to do some kind of hardware reset over the wireless interface, either by design or by an implementation flaw? Is the ID sent in clear, or is there some proper handshake going on? If there is a cryptographic handshake, is it based on a single common certificate? (Reverse engineering one remote would then still be enough to spoof the ID of any other.)

there is probably a debug ID that is hard coded to be accepted by all pumps within the model version. basing my statements on absolutely nothing i am pretty sure this is the case just because this is how the tech world works. factory testing, device failure analysis, recovering locked out units with lost/broken remotes are not necessarily, but certainly most easily and cheaply (in terms of material and man work hours), implemented by hard coded privileges "protected" only by obfuscation... the burden of pro

Remote IDs, at least for some wireless, is not an issue. Sniff the network for IDs, spoof those ids, and you're in. That is why on networks I want to remain private, I not only close the network, require MAC, but also have a password.

As far as the 20 unit limit, the security of this is dependent on whether the setting is in hardware or software. If it is in software, there is a possibility that the limits can be overridden and all insulin can be dumped. Even if in hardware, and constraints between dum

No, there's nothing to prevent you from giving multiple consecutive boluses. I occasionally eat enough in one sitting that I need about 30 units, and I just give myself a second bolus right after the first one. (More often one of them is actually a dual or square wave, but it does happen that both of them are normal boluses.) It's designed to guard against human error, nothing more.

As for the dangers of hypoglycemia... yes, it is fairly easy to treat a hypoglycemic seizure. I've had quite a few of th

One has to hope that these things were built with security in mind, but if the history of communication security is any guide...

One should not have to hope that these things were built with security in mind. One should be able to find out definitively. One should even be able to find out definitively that the FDA, or the AMA, or whoever is in charge has checked and certified that these things were built with security in mind.

The regulations surrounding medical devices require documentation, disclosure to regulatory bodies and fault analysis to the same degree of the safety surrounding manned space flight. It takes literally years to prove your device is safe before it can get released to the general public.

I realize many of these points are pointed out in the article, and I will be repeating them here for those of you who didn't read it:

There are several types of wireless communication built into my pump (A Minimed 722 with a CGMS sensor):1.) Sensor (inserted elsewhere into body) sends current glucose level to pump- Requires the sensor serial to be entered into the pump- If hacked, would report a false glucose level to the pump. The pump NEVER acts on it's own, it only informs you of what the level is, so no

You're assuming that the hacks wouldn't involve simulating the source of the signal. They don't actually have to obtain the professional software, they just have to figure out the protocol. This needs be done once.

What else would a hack simulate but the signal source? In my first two instances, bad data is introduced, but there is no danger to the patient. In the third, bad instructions may be sent, but they are echoed by the pump before starting. In the fourth, you not only have to have a valid serial to simulate, but you have to address it directly to another serial.Did you read the article? The would-be hacker HAS the serials of his own devices, and still hasn't figured out how to hack them.

The debate here isn't about hacked firmware. The firmware isn't updatable, just the settings, either through the wireless or otherwise. I'm sure they could probably flash it back at the factory, but there's no way for me or my doctor to do it.

I spent a LOT of time in various hospitals and long-term care facilities over the last year (friend with cancer), and found that most now rely heavily on WiFi enabled IV/Medication pumps and monitors. Almost every piece of equipment I looked at had a WiFi indicator light on it (some even actually said "WiFi"). There were also several secure WiFi networks operating within each facility, including- thankfully- free public Internet access. Depending on what can actually be done with them remotely- I found this

One should strive to create the most efficient and secure code possible for intrinsic reasons, and insulin pump control software is no exception. That said, there are far easier ways to kill a man from half a mile away. Our brains' defenses are wholly inadequate to contend with a bullet fired from a sniper rifle. This isn't a bug, it's recognizing that we live in a dangerous world. Yes, we should secure medical devices against unintentional interference, but securing them against malice is like developi